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SC and IP work together to 
identify parameters of authorization 
service. 
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SC and IP work together to 
identify customer and employee 
information needed to respond 
to an authorization request. 
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SC and IP work together to define 
a credential-record format for 
storing categories of information. 
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SC and IP work together to 
identify any additional information 
necessary to respond to 
authorization request. 


^.304 




FIG. Zf\ 


• 



Best Available Copy 



SC and IP work together to create 
a messaging specification. 
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SC and IP work together to define 
implemenation rules. 
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IP presents the proposed 
authorization service to a policy 
management authority at Root. 
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Root-entity policy management 
authority reviews proposed service. 


^308 

• 


> 







FIG. 3 fe&tfy £ 



Best Available Copy 



Yes 



Root-entity P°ti c yj$ffl$$g n 
Authority rewewsfproposed 



ement 



service; 



No 



Root-entity policy management 
authority notifes IP. 
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309 



Root stores messaging 
specification and implementation 
rules in central repository and 
notifies IP. 



IP stores approved messaging 
specification and implementation 
rules in directory and notifies SC. 
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SC supplies attribute information 
to populate credential records for 
SC's employees. 



IP establishes a credential record 
for each employee of SC. 



IP stores credential records in 
directory. 



FIG. 3 
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John Smith (JS) visits Web site of 
XYZ Co. (XYZ). 



XYZ Web server communicates 
data to be digitally signed to JS's 
browser. 



Data to be signed is forwarded to 
smartcard which signs the data to 
create digitally-signed document. 



JS's browser receives digitally- 
signed document and transmits 
it to XYZ's Web server. 
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402 



403 



404 
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Go to step 
416 



Yes 



XYZ receives digitally- 
- signed document 



XYZ decide to check 
whether JS authorized to sign 
data (e.g., purchase order) 



XYZ determines whether it has 
appropriate message format for 
desired authorization request 



No 



XYZ generates request for 
appropriate authorization request 
format, signs the request 
and sends it to Bank B. 
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Bank B forwards the 
request to root entity 



409 



Root entity receives the request 
and retrieves from central repository 
access control implementation 
rules for the service identified 
in the request 



Go to step 
414 



Yes 



410 



Root entity applies the access control 
implementation rules to determine 

whether or not XYZ is authoriized to 
receive the requested authorization 

request message format 



411 



No 



Root entity generates rejection 
message, signs it, and 
sends it to Bank B. 
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Bank B forwards rejection 
message to XYZ 



Root retriev^rom central repository 
requested authorization request 
message format, signs message 
including format, and forwards 
message to Bank B. 



Bank B forwards 
message to XYZ 



XYZ use authorization request 
message format to generate 
authorization request 



413 



.414 



.415 



416 



FIG. 4 
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Go to step 
428 



Yes 



XYZ signs authorization 
request message and send 
it to Bank B 



Bank B forwards authorization 
request to Bank A 



Bank A receives request, checks 
repository for appropriate 
messaging specification data 



No 



Bank A generates a request 
for this data, signs it, and 
sends it to root entity 
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419 



420 
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Go to step 
426 



Yes 



Root receives the request and 
retrieves from central repository any 
applicable access-control 
implementation rules necessary 
to process the request 



Root applies access control 
implementation rules to determine 
whether or not it will release 
requested message format 



No 



Root generates a rejection 
message, signs it, and 
forwards it to Bank A 



Bank A generates a message 
indicating that it cannot process 
the authorization request, signs 
it, and forwards it to Bank B 
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Bank B forwards 
message to XYZ 



Root retrieves from 
central repository requested 
authorization response message 
format, signflriessage including 
format, forwards it to Bank A 



Bank A retrieves from directory 
:redential record for individual that 
is the subject oflhe authorization 
request and any necessary 
definitions and mapping 



Bank A generates authorization 
response message 
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Go to step 
432 



Not 
Satisfactory 



Bank A signs the authorization 
response message and 
sends it to Bank B 



Bank B transmits authorization 
response message to XYZ 



Satisfactory 



XYZ sends confirmation 
message to JS 



429 



.430 



431 



XYZ sengPmessage to JS 
disaffirming the transaction 
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RC's Web server communicates 
data to be digitally-signed to SC's 
browser 







Data to be signed is forwarded to 
SC's smart card which signs the 
data to create a digitally-signed 
document 



601 



602 



603 



SC's browser receives the digitally- 
signed document and transmits it to 
RC's Web server 
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RC receives digitally-signed 
document 



RC generates an authorization 
request message 



RC creates an OCSP request for 
SC's certificate 



RC concatenates the two requests 
and signs the resulting message 
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RC transmits request(s) to RP ^^609 



RP identifies IP that issued 
certificate that is subject of OCSP 
request 



RP forwards the request to IP 
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IP processes authorization request 
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IP create OCSP response for 
validation request 



613 



IP concatenates authorization 
response and OCSP response 
and signs the resulting message 



IP transmits response(s) to RP 



RP forwards response(s) to RC 
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Go to step 
619 



Not 
Satisfactory 




Satisfactory 
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618 



RC may send message to 
SC disaffirming the transaction 



619 



FIG. 6| 




Best Available Copy 



